Does Amcache record DLLs?
Yes — on Windows 10 build 1709 (October 2017) and later. The
Root\InventoryApplicationFile key records both EXEs and DLLs
that the Compatibility Appraiser classifies as PE files, with the
same schema for both: full path, SHA-1 hash, publisher, version,
link date, ProgramId, and KeyLastWriteTimestamp.
Earlier Windows builds used the legacy schema (Root\File and
Root\Programs), which was sparser and inconsistent about DLLs.
For any modern Windows 10/11 investigation, assume DLL coverage.
How to find DLLs in the CSV#
In AmcacheParser's *_UnassociatedFileEntries.csv and
*_AssociatedFileEntries.csv:
Import-Csv .\HOST_amcache_UnassociatedFileEntries.csv |
Where-Object { $_.Name -like '*.dll' } |
Select-Object FullPath, Hash, KeyLastWriteTimestamp, PublisherOr filter by BinaryType — DLLs often surface as pe32 or
pe64 with .dll extension.
Per-process DLL loads vs Amcache DLL records#
These are very different signals:
| Amcache DLL record | Sysmon 7 (Image Loaded) | |
|---|---|---|
| Triggered by | Appraiser inventory pass | Each process load of the DLL |
| Frequency | ~Daily | Real-time |
| Records process context? | No | Yes |
| Records load time? | Inventory time only | Load time per process |
| Cross-process visibility? | No | Yes — per process |
For investigations focused on which process loaded which DLL,
Sysmon Event ID 7 is the right artefact. For investigations
focused on was this DLL present on this host, Amcache is the
right artefact. The combination — joining Amcache Hash to
Sysmon 7 Hashes — gives you the full DLL-side picture.
DLL-side attacks Amcache catches#
- DLL sideloading. Attacker-dropped DLL alongside a legitimate
EXE that loads it. The attacker DLL appears in
*_UnassociatedFileEntries.csvwith an unusual path and a blankPublisher. - Hijacked system DLLs. Same
FullPathappearing twice with differentHashvalues across twoKeyLastWriteTimestampmoments — the DLL at that path changed. Strong indicator of binary replacement. - Reflective-load decoys. The decoy DLL (the disk one) appears in Amcache. The actual loaded version is in memory only and won't show in Amcache — but Sysmon Event ID 7 will catch the load.
For the full DLL-bearing investigation workflow, see Hunting commodity malware with Amcache.
What Amcache doesn't catch#
- DLLs loaded only from memory. Reflective loaders (Cobalt Strike, Sliver, Metasploit Meterpreter) load DLLs from buffers, not from disk. Those DLLs may never touch a file the appraiser can scan.
- DLLs in paths the appraiser doesn't scan. Some custom paths fall outside the appraiser's default scope.
- Per-process load context. Amcache doesn't say which process loaded the DLL — use Sysmon 7.
Related#
- Amcache registry structure — where DLL entries live.
- Amcache FileId explained — the DLL's hash format.
- Hunting commodity malware with Amcache — the DLL-side triage playbook.
Related posts
- Why is my Amcache.hve empty?
Three common causes: the Compatibility Appraiser is disabled, the host is freshly imaged, or you're collecting from a Server / Server Core where the appraiser runs much less often.
- Where is the Amcache registry key?
Amcache is its own hive file at C:\Windows\AppCompat\Programs\Amcache.hve — not a key under HKLM. When loaded by tools or by Windows itself it mounts as HKLM\Amcache.
- What does Amcache.hve contain?
Amcache.hve contains inventory records for every PE binary, driver, and connected device the Windows Compatibility Appraiser has seen — with SHA-1 hashes, paths, publishers, and timestamps.
- What's a .pf file vs an Amcache entry?
.pf files are Windows Prefetch records — proof a binary executed, with run timestamps and loaded-files lists. Amcache entries record presence, with the SHA-1 hash and metadata.